{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-28T18:38:59.679","vulnerabilities":[{"cve":{"id":"CVE-2026-27839","sourceIdentifier":"security-advisories@github.com","published":"2026-02-26T23:16:35.123","lastModified":"2026-06-17T10:27:46.367","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue."},{"lang":"es","value":"wger es un gestor gratuito y de código abierto de entrenamientos y estado físico. En las versiones hasta la 2.4 inclusive, tres puntos finales de acción 'nutritional_values' recuperan objetos a través de 'Model.objects.get(pk=pk)' — una llamada ORM directa que omite el queryset con ámbito de usuario. Cualquier usuario autenticado puede leer los datos del plan de nutrición privado de otro usuario, incluyendo la ingesta calórica y el desglose completo de macronutrientes, al proporcionar un PK arbitrario. El commit 29876a1954fe959e4b58ef070170e81703dab60e contiene una solución para el problema."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"wger-project","product":"wger","versions":[{"version":"<= 2.4","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-03-03T01:36:36.210139Z","id":"CVE-2026-27839","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-639"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wger:wger:*:*:*:*:*:*:*:*","versionEndIncluding":"2.4","matchCriteriaId":"069E9B5B-A461-47CB-90EA-9A0F99C25C77"}]}]}],"references":[{"url":"https://github.com/wger-project/wger/commit/29876a1954fe959e4b58ef070170e81703dab60e","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/wger-project/wger/security/advisories/GHSA-g8gc-6c4h-jg86","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}